Project

General

Profile

Bug #15395

Enigmail & AppArmor: Cannot get key from keyserver after finding it

Added by emmapeel 7 months ago. Updated 4 months ago.

Status:
Resolved
Priority:
Elevated
Assignee:
-
Category:
-
Target version:
Start date:
03/12/2018
Due date:
% Done:

100%

QA Check:
Pass
Feature Branch:
Type of work:
Code
Blueprint:
Starter:
Affected tool:
Email Client

Description

In Tails 3.6~rc1 I cannot download keys from the keyserver with the Key selection interface as I used to do until Tails 3.5. It seems like the apparmor profile should be updated:

Steps to reproduce:

- Open Thunderbird with Enigmail configured
- Try to send an email to a new email address (that has a public key on the keyservers)
- The Enigmail menu comes out, click on 'Download missing keys'.
- The searchbox appears, you can select a key, but the system gets quite frozen and nothing happens.

On the logs, I see:

Mar 12 08:39:38 amnesia kernel: audit: type=1400 audit(1520843978.662:282820993): apparmor="DENIED" operation="file_lock" profile="thunderbird//gpg" name="/home/amnesia/.gnupg/tofu.db" pid=8570 comm="gpg2" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000


Related issues

Related to Tails - Bug #11973: Confine Thunderbird with AppArmor Resolved 11/20/2016
Related to Tails - Bug #15610: AppArmor breaks importing public OpenPGP keys from email attachments Resolved 05/21/2018
Blocks Tails - Feature #15139: Core work 2018Q2: Foundations Team Resolved 01/01/2018
Blocked by Tails - Bug #15607: Upgrade to Thunderbird 52.8.0 Resolved 05/19/2018

Associated revisions

Revision 4711cdfd (diff)
Added by bertagaz 7 months ago

Tentatively add an entry for enigmail in the known issues.

Refs: #15395

Revision 9c1c66e9
Added by intrigeri 5 months ago

Merge remote-tracking branch 'origin/bugfix/15607-thunderbird-52.8.0' into stable (Fix-committed: #15607, #15395)

This also includes the first part of Thunderbird EFAIL fixes (refs: #15602)

History

#1 Updated by sajolida 7 months ago

  • Related to Bug #11973: Confine Thunderbird with AppArmor added

#2 Updated by sajolida 7 months ago

  • Assignee set to anonym
  • Priority changed from Normal to Elevated
  • Target version set to Tails_3.7

I understand that this is a regression caused by #11973. Reassigning to anonym who last work on #11973.

#3 Updated by bertagaz 7 months ago

  • Status changed from Confirmed to In Progress

#4 Updated by anonym 7 months ago

  • Assignee changed from anonym to bertagaz
  • Target version changed from Tails_3.7 to Tails_3.6
  • % Done changed from 0 to 30

emmapeel wrote:

In Tails 3.6~rc1 I cannot download keys from the keyserver with the Key selection interface as I used to do until Tails 3.5. It seems like the apparmor profile should be updated:

Steps to reproduce:

- Open Thunderbird with Enigmail configured
- Try to send an email to a new email address (that has a public key on the keyservers)
- The Enigmail menu comes out, click on 'Download missing keys'.
- The searchbox appears, you can select a key, but the system gets quite frozen and nothing happens.

Following these exact steps (without any persistence features enabled), I successfully download the recipient's public key. So I cannot reproduce.

On the logs, I see:

Mar 12 08:39:38 amnesia kernel: audit: type=1400 audit(1520843978.662:282820993): apparmor="DENIED" operation="file_lock" profile="thunderbird//gpg" name="/home/amnesia/.gnupg/tofu.db" pid=8570 comm="gpg2" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000

I did not see this, or any other entry. I wonder if this only happens when ~/.gnupg is persistent? And some non-default GnuPG configuration?

So, bert, I suggest you get a tester to look into the above hypotheses, and either update or remove the known issue depending on if anything can be reproduced.

#5 Updated by bertagaz 7 months ago

  • Assignee changed from bertagaz to anonym
  • Target version changed from Tails_3.6 to Tails_3.7

anonym wrote:

I did not see this, or any other entry. I wonder if this only happens when ~/.gnupg is persistent? And some non-default GnuPG configuration?

So, bert, I suggest you get a tester to look into the above hypotheses, and either update or remove the known issue depending on if anything can be reproduced.

We've tested that briefly with emmapeel too yesterday, and indeed it appears this bug is triggered only when persistence is enabled. If tofu.db is moved out from .gnupg before using enigmail, then it works again, but I suspect that once the user fires gpg manually, the file will be recreated and the bug will reappear.

I've added a note about that in the known issues for 3.6, explaining to use Seahorse to fetch keys before sending an encrypted email to a new contact. This should still be fixed for 3.7 I think.

#6 Updated by anonym 7 months ago

  • Target version changed from Tails_3.7 to Tails_3.6

bertagaz wrote:

anonym wrote:

I did not see this, or any other entry. I wonder if this only happens when ~/.gnupg is persistent? And some non-default GnuPG configuration?

So, bert, I suggest you get a tester to look into the above hypotheses, and either update or remove the known issue depending on if anything can be reproduced.

We've tested that briefly with emmapeel too yesterday, and indeed it appears this bug is triggered only when persistence is enabled. If tofu.db is moved out from .gnupg before using enigmail, then it works again, but I suspect that once the user fires gpg manually, the file will be recreated and the bug will reappear.

Actually, the file is created when you sign a key. However, when I tested this in a session without persistence I still couldn't reproduce. Interesting... I don't know if this affects the known issue.

I've added a note about that in the known issues for 3.6, explaining to use Seahorse to fetch keys before sending an encrypted email to a new contact.

Great!

This should still be fixed for 3.7 I think.

Absolutely!

#7 Updated by bertagaz 7 months ago

  • Target version changed from Tails_3.6 to Tails_3.7

#8 Updated by emmapeel 7 months ago

I cannot reproduce this on Tails 3.6. Shall we close it? Who else saw it?

#9 Updated by sajolida 7 months ago

  • QA Check changed from Dev Needed to Info Needed
  • Feature Branch set to web/14680-3.6-release-notes

I can't reproduce that in 3.6 either...

anonym: If you agree with me please merge again web/14680-3.6-release-notes (with commit e6cd649727).

#10 Updated by blue9 7 months ago

emmapeel wrote:

I cannot reproduce this on Tails 3.6. Shall we close it? Who else saw it?

I'm seeing this in 3.6.1. (with persistence enabled). Key signing seems to trigger it as well. My logs continue filling up with `apparmor="DENIED"` errors even after I quit Thunderbird. I had to manually kill a `/usr/bin/gpg2` process.

#11 Updated by intrigeri 7 months ago

I'm seeing this in 3.6.1. (with persistence enabled). Key signing seems to trigger it as well. My logs continue filling up with `apparmor="DENIED"` errors even after I quit Thunderbird. I had to manually kill a `/usr/bin/gpg2` process.

Interesting! Can you please share the full error messages you see in the logs?

#12 Updated by intrigeri 7 months ago

(Trying again to reassign.)

#13 Updated by blue9 7 months ago

intrigeri wrote:

Interesting! Can you please share the full error messages you see in the logs?

When I launch Thunderbird, I get:

Mar 21 09:01:00 amnesia thunderbird.desktop[4946]: + exec /usr/bin/thunderbird --class Thunderbird -profile /home/amnesia/.thunderbird/profile.default
Mar 21 09:01:00 amnesia thunderbird[4946]: Failed to parse /home/amnesia/.config/gtk-3.0/settings.ini: Permission denied
Mar 21 09:01:00 amnesia kernel: kauditd_printk_skb: 106139 callbacks suppressed
Mar 21 09:01:00 amnesia kernel: audit: type=1400 audit(1521648060.491:175629027): apparmor="DENIED" operation="open" profile="thunderbird" name="/live/persistence/TailsData_unlocked/dotfiles/.config/gtk-3.0/settings.ini" pid=4946 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Mar 21 09:01:00 amnesia thunderbird[4946]: Unable to load /var/lib/dbus/machine-id: Failed to open file '/var/lib/dbus/machine-id': Permission denied
Mar 21 09:01:01 amnesia thunderbird.desktop[4946]: TorBirdy registered!

When I try to import a key through the Enigmail GUI, I get:

Mar 21 09:02:30 amnesia kernel: audit: type=1400 audit(1521648150.435:175629028): apparmor="DENIED" operation="open" profile="thunderbird//gpg" name="/home/amnesia/.gnupg/tofu.db" pid=5047 comm="gpg2" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
Mar 21 09:02:30 amnesia kernel: audit: type=1400 audit(1521648150.435:175629029): apparmor="DENIED" operation="file_lock" profile="thunderbird//gpg" name="/home/amnesia/.gnupg/tofu.db" pid=5047 comm="gpg2" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000
...
Mar 21 09:02:35 amnesia kernel: kauditd_printk_skb: 465143 callbacks suppressed
...
Mar 21 09:02:35 amnesia kernel: audit: type=1400 audit(1521648155.439:176056887): apparmor="DENIED" operation="file_lock" profile="thunderbird//gpg" name="/home/amnesia/.gnupg/tofu.db" pid=5047 comm="gpg2" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000

When I try to sign a key using the Enigmail GUI, I get:

Mar 21 08:58:45 amnesia kernel: audit: type=1400 audit(1521647925.939:170340275): apparmor="DENIED" operation="open" profile="thunderbird//gpg" name="/home/amnesia/.gnupg/tofu.db" pid=4808 comm="gpg2" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
Mar 21 08:58:45 amnesia kernel: audit: type=1400 audit(1521647925.939:170340276): apparmor="DENIED" operation="file_lock" profile="thunderbird//gpg" name="/home/amnesia/.gnupg/tofu.db" pid=4808 comm="gpg2" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000
...
Mar 21 08:58:50 amnesia kernel: kauditd_printk_skb: 461227 callbacks suppressed
...
Mar 21 08:58:50 amnesia kernel: audit: type=1400 audit(1521647930.943:170778392): apparmor="DENIED" operation="file_lock" profile="thunderbird//gpg" name="/home/amnesia/.gnupg/tofu.db" pid=4808 comm="gpg2" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000

#14 Updated by blue9 7 months ago

blue9 wrote:

...apparmor="DENIED" operation="open" profile="thunderbird" name="/live/persistence/TailsData_unlocked/dotfiles/.config/gtk-3.0/settings.ini"...

OK, that one is clearly my own fault. But the `tofu.db` stuff seems relevant.

#15 Updated by intrigeri 7 months ago

Thanks blue9!

Can you please test my tentative fix?

  1. Start Tails as usual but set an Administration Password
  2. Apply https://gitlab.com/intrigeri/apparmor-profiles/commit/040d8631aa121888572b6e1cc8ebc1efe048813e to /etc/apparmor.d/usr.bin.thunderbird
  3. Run sudo apparmor_parser -r /etc/apparmor.d/usr.bin.thunderbird
  4. Start Thunderbird
  5. Try to perform the operations you've seen fail, monitor the logs, report success/failure and any denial you in the logs

Thanks!

#16 Updated by intrigeri 7 months ago

  • Subject changed from Enigmail&Apparmour: Cannot get key from keyserver after finding it to Enigmail & AppArmor: Cannot get key from keyserver after finding it
  • Assignee changed from anonym to intrigeri
  • Feature Branch deleted (web/14680-3.6-release-notes)

#17 Updated by intrigeri 7 months ago

#18 Updated by intrigeri 7 months ago

intrigeri wrote:

Thanks blue9!

Can you please test my tentative fix?

(Once blue9 has confirmed this fix works, I'll submit it upstream and then will apply it to the Debian packaging of Thunderbird.)

#19 Updated by blue9 7 months ago

intrigeri wrote:

Can you please test my tentative fix?

Thanks! That fixed the key import issue. Signing a key via Enigmail still produced the following:

Mar 22 14:05:27 amnesia audit[11883]: AVC apparmor="DENIED" operation="mknod" profile="thunderbird//gpg" name="/home/amnesia/.gnupg/tofu.db-journal" pid=11883 comm="gpg2" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Mar 22 14:05:27 amnesia kernel: audit: type=1400 audit(1521727527.047:40): apparmor="DENIED" operation="mknod" profile="thunderbird//gpg" name="/home/amnesia/.gnupg/tofu.db-journal" pid=11883 comm="gpg2" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

I added the following to /etc/apparmor.d/usr.bin.thunderbird and it cleared up the key signing error:

owner @{HOME}/.gnupg/tofu.db-journal rkw

Though, to be clear, I don't know apparmor from a hole in the ground, so rkw may be overly permissive.

#20 Updated by intrigeri 7 months ago

  • QA Check changed from Info Needed to Dev Needed

Thanks! That fixed the key import issue. Signing a key via Enigmail still produced the following:
[...]
I added the following to /etc/apparmor.d/usr.bin.thunderbird and it cleared up the key signing error:

Thanks for testing. I'll propose something along these lines upstream.

#21 Updated by intrigeri 7 months ago

intrigeri wrote:

I'll propose something along these lines upstream.

Done: https://gitlab.com/apparmor/apparmor-profiles/merge_requests/13. Once it's merged upstream I'll apply this change to the copy of the profile that's in the Debian packaging of Thunderbird and then we'll get it in Tails whenever we upgrade our Thunderbird package to a version that includes this change.

#22 Updated by intrigeri 7 months ago

  • QA Check deleted (Dev Needed)
  • Type of work changed from Code to Communicate

#23 Updated by intrigeri 7 months ago

  • Assignee changed from intrigeri to anonym
  • % Done changed from 30 to 50
  • Type of work changed from Communicate to Wait

Merged upstream, copied to src:thunderbird's Vcs-Git. This will be fixed in thunderbird >> 52.7.0-1. anonym, it's likely that you'll rebase our custom package on top of that one once it's out, so reassigning to you.

#24 Updated by blue9 7 months ago

Plase let me know if I should create a new issue for this. Thunderbird's apparmor profile also seems to be shutting down the import of public keys from attachments:

Mar 29 20:17:12 amnesia kernel: audit: type=1400 audit(1522354632.625:5655774): apparmor="DENIED" operation="mknod" profile="thunderbird//gpg" name="/home/amnesia/.thunderbird/profile.default/tmp/enigmail_import/.#lk0x00...60.amnesia.21310" pid=21310 comm="gpg2" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

I added the last four lines of the following to /etc/apparmor.d/usr.bin.thunderbird, and it seems to have cleared things up. (The first four lines were already there.) Lines 5 and 7 were necessary to make key import work. Lines 6 and 8 were monkey-see-monkey-do; they may or may not be necessary.

    owner /tmp/enigmail_import/.#lk0x[0-9a-f]*  rw,
    owner /tmp/enigmail_import/.#lk0x[0-9a-f]*x rwl,
    owner /tmp/enigmail_import/{keyring,trustdb}.lock rwl,
    owner /tmp/enigmail_import/{keyring,trustdb}{,~,.tmp} rw,
    owner @{HOME}/.{icedove,thunderbird}/*.default/tmp/enigmail_import/.#lk0x[0-9a-f]*  rw,
    owner @{HOME}/.{icedove,thunderbird}/*.default/tmp/enigmail_import/.#lk0x[0-9a-f]*x rwl,
    owner @{HOME}/.{icedove,thunderbird}/*.default/tmp/enigmail_import/{keyring,trustdb}.lock rwl,
    owner @{HOME}/.{icedove,thunderbird}/*.default/tmp/enigmail_import/{keyring,trustdb}{,~,.tmp} rw,

I verified the bug and tested the above fix with without persistence.

#25 Updated by intrigeri 6 months ago

#26 Updated by intrigeri 6 months ago

#27 Updated by intrigeri 6 months ago

Plase let me know if I should create a new issue for this.

Yes, please.

#28 Updated by intrigeri 6 months ago

  • QA Check set to Ready for QA

#29 Updated by intrigeri 6 months ago

  • Target version changed from Tails_3.7 to Tails_3.8

intrigeri wrote:

Merged upstream, copied to src:thunderbird's Vcs-Git. This will be fixed in thunderbird >> 52.7.0-1. anonym, it's likely that you'll rebase our custom package on top of that one once it's out, so reassigning to you.

I don't think we'll do this upgrade for Tails 3.7.

#30 Updated by blue9 5 months ago

I now seem to be getting these tofu.db apparmor errors (on Tails 3.6.2 with an unpatched /etc/apparmor.d/usr.bin.thunderbird) even without any of the triggering events. This behaviour may have changed after I upgraded the Enigmail extension, but I can't be sure. Once Thunderbird has been running for a while, my system freezes with Thunderbird, gpg and kauditd pegged at around 100% CPU.

My journalctl shows a great deal of the following:

May 18 14:50:20 amnesia kernel: audit: type=1400 audit(1526680220.456:21987627): apparmor="DENIED" 
operation="file_lock" profile="thunderbird//gpg" name="/home/amnesia/.gnupg/tofu.db" pid=16498 comm="gpg" 
requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000
May 18 14:50:25 amnesia kernel: audit_log_start: 244824 callbacks suppressed
May 18 14:50:25 amnesia kernel: audit: audit_backlog=65 > audit_backlog_limit=64
May 18 14:50:25 amnesia kernel: audit: audit_lost=1082335 audit_rate_limit=0 audit_backlog_limit=64
May 18 14:50:25 amnesia kernel: audit: backlog limit exceeded

I added the six lines mentioned in this thread to /etc/apparmor.d/user.bin.thunderbird, re-parsed the file and will watch to see how it behaves. (More to the point, I'll test again after upgrading to 3.7.)

#31 Updated by intrigeri 5 months ago

  • Blocked by Bug #15607: Upgrade to Thunderbird 52.8.0 added

#32 Updated by intrigeri 5 months ago

  • Related to Bug #15610: AppArmor breaks importing public OpenPGP keys from email attachments added

#33 Updated by intrigeri 5 months ago

  • Assignee changed from anonym to intrigeri

intrigeri wrote:

Plase let me know if I should create a new issue for this.

Yes, please.

I eventually did it myself: #15610.

Regarding the tofu.db issue I'll check that it's fixed once #15607 is done.

#34 Updated by intrigeri 5 months ago

  • Assignee changed from intrigeri to segfault
  • Type of work changed from Wait to Code

Reviewing this on top of #15607 should not take more than 0.5 hours. No code change as the work was done upstream (and merged as part of #15607), so all you need to do is test & confirm that the bug is fixed.

#35 Updated by segfault 5 months ago

  • Assignee changed from segfault to intrigeri
  • QA Check changed from Ready for QA to Pass

intrigeri wrote:

Reviewing this on top of #15607 should not take more than 0.5 hours. No code change as the work was done upstream (and merged as part of #15607), so all you need to do is test & confirm that the bug is fixed.

I was able to successfully import a key from the keyservers and sign it. I also tested importing from an email attachment (#15610) which still fails. I spent 10 minutes.

#36 Updated by intrigeri 5 months ago

  • Status changed from In Progress to Fix committed

I was able to successfully import a key from the keyservers and sign it. I also tested importing from an email attachment (#15610) which still fails.

Thanks, merged.

I spent 10 minutes.

Noted.

#37 Updated by intrigeri 5 months ago

  • Assignee deleted (intrigeri)
  • % Done changed from 50 to 100

#38 Updated by intrigeri 4 months ago

  • Target version changed from Tails_3.8 to Tails_3.7.1

#39 Updated by intrigeri 4 months ago

  • Assignee set to BitingBird

#40 Updated by intrigeri 4 months ago

  • Assignee deleted (BitingBird)

#41 Updated by intrigeri 4 months ago

  • Status changed from Fix committed to Resolved

Also available in: Atom PDF